The Hyper-V virtual switch is itself a software-based layer 2 Ethernet network switch that is available by default in Hyper-V Manager when you install the Hyper-V role on a server. The Hyper-V virtual switch allows for many different types of management as well as automation via programmatically managed and extensible capabilities. This allows connecting to both virtual networks and the physical network. In addition to traditional networking in the true sense, Hyper-V virtual switches also allow for and provide policy enforcement for security, isolating resources, and ensuring SLAs. These additional features are powerful tools that allow today’s multi-tenant environments to have the ability to isolate workloads as well as provide traffic shaping. This also assists in protecting against malicious virtual machines.

The Hyper-V virtual switch is highly extensible. Using the Network Device Interface Specification or NDIS filters as well as Windows Filtering Platform or WFP, Hyper-V virtual switches can be extended by plugins written specifically to interact with the Hyper-V virtual switch. These are called Virtual Switch Extensions and can provide enhanced networking and security capabilities.

In this Howto, let’s take a look at creating and managing Hyper-V virtual switches and take a closer look at the Hyper-V virtual switch itself and some of the considerations and tools used for managing this virtual network construct in Hyper-V.

Hyper-V Virtual Switch Capabilities and Functionality

1. ARP/ND Poisoning (spoofing) protection – A common method of attack that can be used by a threat actor on the network is MAC spoofing. This allows an attacker to appear to be coming from a source illegitimately. Hyper-V virtual switches prevent this type of behavior by providing MAC address spoofing protection

2. DHCP Guard protection – With DHCP guard, Hyper-V is able to protect against a rogue VM being using for a DHCP server which helps to prevent man-in-the-middle attacks

6. Private VLANs – Private VLANs can effectively micro-segment traffic as it is basically a VLAN within a VLAN. VMs can be allowed or prevented from communicating with other VMs within the private VLAN construct

4 Steps total

Step 1: Types of Virtual Switches in Hyper-V

There are three different connectivity configurations for the Hyper-V Virtual Switch that can be configured in Hyper-V. They are:

With the Private Virtual Switch, the virtual switch only allows communications between the connected virtual machines that are connected to the private virtual switch.

Internal Virtual Switch

With the Internal Virtual Switch, it only allows communication between virtual adapters connected to connected VMs and the management operating system.

External Virtual Switch

External Virtual Switches allows communication between virtual adapters connected to virtual machines and the management operating system. It utilizes the connected physical adapters to the physical switch for communicating externally.

With the external virtual switch, virtual machines can be connected to the outside world without any additional routing mechanism in place. However, with both private and internal switches, there must be some type of routing functionality that allows getting traffic from the internal/private virtual switches to the outside. The primary use case of the internal and private switches is to isolate and secure traffic. When connected to these types of virtual switches, traffic is isolated to only those virtual machines connected to the virtual switch.

Hyper-V Logical Switches

When utilizing System Center in a Hyper-V environment, the Virtual Machine Manager or VMM fabric enables the use of a different kind of Hyper-V virtual switch – logical switches. A logical switch brings together the virtual switch extensions, port profiles, and port classifications so that network adapters can be consistently configured across multiple hosts. This way, multiple hosts can have the same logical switch and uplink ports associated.

This is similar in feel and function for VMware administrators who have experience with the distributed virtual switch. The configuration for the distributed virtual switch is stored at the vCenter Server level. The configuration is then deployed from vCenter to each host rather than from the host side.

Step 2: Creating Hyper-V Virtual Switches

Hyper-V standard virtual switches can be created using either the Hyper-V Manager GUI or by using PowerShell. We will take a look at each of these methods of configuration and deployment to see how the standard Hyper-V virtual switch can be deployed using either method.

Step 4: Creating Hyper-V Virtual Switches with PowerShell

Using PowerShell for virtual switch creation is a great way to achieve automation in a Hyper-V environment. PowerShell makes it easy to create new Hyper-V virtual switches in just a few simple one-liner cmdlets.

While not directly related to the Hyper-V virtual switch configuration, the virtual machine level Advanced Features include several very powerful network features made possible by the Hyper-V virtual switch including:

DHCP guard – Protects against rogue DHCP servers

Router guard – Protects against rogue routers

Protected network – A high availability mechanism that ensures a virtual machine is not disconnected from the network due to a failure on a Hyper-V host

The Hyper-V Virtual Switch is an integral part of what makes virtualization and virtual connectivity possible in the Hyper-V hypervisor. Creating and managing Hyper-V virtual switches is a critical administration task that Hyper-V administrators need to perform and understand to manage a Hyper-V environment effectively. Hyper-V allows creating a variety of Hyper-V virtual switches that can be used to provision connectivity to Hyper-V virtual machines based on the type of connectivity that is needed. These include the External, Isolated, and Private connectivity types. The Isolated and Private virtual switches can be used to ensure isolation for a virtual machine or group of virtual machines.

Hyper-V Logical Switches can be created with System Center Virtual Machine Manager and provide the ability to create virtual switches that are housed at the System Center level and can be applied to Hyper-V hosts accordingly. This allows creating a standardized and consistent configuration for all Hyper-V hosts. Hyper-V native tools allow creating the standard virtual switch, including Hyper-V Manager and PowerShell. Again, using System Center Virtual Machine Manager, logical switches can be created for provisioning across the board. The Hyper-V virtual switch is a powerful networking vehicle that allows traffic to traverse in and out of the physical and virtual resources. Creating and managing the Hyper-V virtual switch is necessary, critical, and a key to being able to run production workloads in a way that allows connectivity in the desired way.